Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19/12/2024, 03:15
Static task
static1
General
-
Target
80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe
-
Size
2.9MB
-
MD5
0d8d9a494648862b4b225c7bec0cc18a
-
SHA1
9cdd81df5c5ba351c461aab9d795614c9ec5541d
-
SHA256
80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19
-
SHA512
230ad3917607d5b87a703538358e264ab588517f32c72e49b52776c8fe791019434f3429c5b4a0be5e9515b14b21b6ef63398ba69fb897d86ba839edf9c80dda
-
SSDEEP
49152:n5BThkNfxP3CrE633uhAslc//8RSriLmBGk2ZzX:5BThkNfxP3CrEq3uhVSX8RSOQwj
Malware Config
Extracted
amadey
4.42
9c9aa5
http://185.215.113.43
-
install_dir
abc3bc1985
-
install_file
skotes.exe
-
strings_key
8a35cf2ea38c2817dba29a4b5b25dcf0
-
url_paths
/Zu7JuNko/index.php
Extracted
lumma
Extracted
cryptbot
http://home.fivetk5vt.top/hLfzXsaqNtoEGyaUtOMJ1734
Extracted
stealc
stok
http://185.215.113.206
-
url_path
/c4becf79229cb002.php
Signatures
-
Amadey family
-
Cryptbot family
-
Lumma family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" VH12VCXFX35W3AEYX6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" VH12VCXFX35W3AEYX6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" VH12VCXFX35W3AEYX6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" VH12VCXFX35W3AEYX6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" VH12VCXFX35W3AEYX6.exe -
Stealc family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2704 created 1336 2704 aba470669f.exe 21 -
Xmrig family
-
Enumerates VirtualBox registry keys 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 7bdc45c53c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF 56381c8ead.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 14 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ aba470669f.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 95f9465fd1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VH12VCXFX35W3AEYX6.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ VR6f3vF.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5327feaad1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 56381c8ead.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ANEDNjf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 90e72d3e0c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7bdc45c53c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 62da928c46.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ skotes.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 72fa3f10db.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe -
XMRig Miner payload 10 IoCs
resource yara_rule behavioral1/memory/3208-721-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-722-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-723-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-724-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-725-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-726-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-727-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-738-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-736-0x0000000140000000-0x0000000140770000-memory.dmp xmrig behavioral1/memory/3208-739-0x0000000140000000-0x0000000140770000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2136 powershell.exe 1564 powershell.exe 2296 powershell.exe 2460 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 28 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VR6f3vF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 62da928c46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 72fa3f10db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 95f9465fd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VH12VCXFX35W3AEYX6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aba470669f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7bdc45c53c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ANEDNjf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VR6f3vF.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 72fa3f10db.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 56381c8ead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7bdc45c53c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 95f9465fd1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5327feaad1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5327feaad1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aba470669f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ANEDNjf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion skotes.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VH12VCXFX35W3AEYX6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 56381c8ead.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 90e72d3e0c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 62da928c46.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 90e72d3e0c.exe -
Executes dropped EXE 35 IoCs
pid Process 2932 skotes.exe 2092 VR6f3vF.exe 1264 kf5cl0F.exe 2220 ANEDNjf.exe 1560 b28c016796.exe 2872 6463f8867a.exe 736 90e72d3e0c.exe 456 5327feaad1.exe 2404 56381c8ead.exe 1216 0fdaf30c9f.exe 2704 aba470669f.exe 1488 65e155d8ec.exe 2120 b28c016796.exe 2140 b28c016796.exe 1208 b28c016796.exe 2088 b28c016796.exe 964 b28c016796.exe 2336 7bdc45c53c.exe 2732 40f2c012eb.exe 1676 62da928c46.exe 2700 7z.exe 1668 7z.exe 1972 7z.exe 1460 7z.exe 436 7z.exe 2216 7z.exe 2828 7z.exe 2200 7z.exe 1612 in.exe 896 72fa3f10db.exe 2052 b7ece6f5d8.exe 1992 95f9465fd1.exe 2232 VH12VCXFX35W3AEYX6.exe 876 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe 2392 Intel_PTT_EK_Recertification.exe -
Identifies Wine through registry keys 2 TTPs 14 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine VR6f3vF.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 5327feaad1.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 62da928c46.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 72fa3f10db.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 95f9465fd1.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 90e72d3e0c.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 56381c8ead.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine skotes.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine ANEDNjf.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine aba470669f.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine 7bdc45c53c.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine VH12VCXFX35W3AEYX6.exe -
Loads dropped DLL 57 IoCs
pid Process 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 868 cmd.exe 2700 7z.exe 868 cmd.exe 1668 7z.exe 868 cmd.exe 1972 7z.exe 868 cmd.exe 1460 7z.exe 868 cmd.exe 436 7z.exe 868 cmd.exe 2216 7z.exe 868 cmd.exe 2828 7z.exe 868 cmd.exe 2200 7z.exe 868 cmd.exe 868 cmd.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 2932 skotes.exe 1676 62da928c46.exe 1676 62da928c46.exe 1676 62da928c46.exe 1676 62da928c46.exe 1536 taskeng.exe 1536 taskeng.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 95f9465fd1.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" VH12VCXFX35W3AEYX6.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\62da928c46.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017302001\\62da928c46.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\72fa3f10db.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017303001\\72fa3f10db.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\b7ece6f5d8.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017304001\\b7ece6f5d8.exe" skotes.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\95f9465fd1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1017305001\\95f9465fd1.exe" skotes.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x000600000001a469-431.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 2932 skotes.exe 2092 VR6f3vF.exe 2220 ANEDNjf.exe 736 90e72d3e0c.exe 456 5327feaad1.exe 2404 56381c8ead.exe 2704 aba470669f.exe 2336 7bdc45c53c.exe 1676 62da928c46.exe 896 72fa3f10db.exe 1992 95f9465fd1.exe 2232 VH12VCXFX35W3AEYX6.exe 876 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2392 set thread context of 3208 2392 Intel_PTT_EK_Recertification.exe 113 -
resource yara_rule behavioral1/memory/1612-413-0x000000013F420000-0x000000013F8B0000-memory.dmp upx behavioral1/memory/2392-729-0x000000013F2F0000-0x000000013F780000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\skotes.job 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 31 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5327feaad1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dialer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skotes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40f2c012eb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b28c016796.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62da928c46.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage b7ece6f5d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VH12VCXFX35W3AEYX6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 98EF0QC32A92UHKSHWU108NSUZ1AQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEDNjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0fdaf30c9f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7bdc45c53c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language b7ece6f5d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7ece6f5d8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VR6f3vF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56381c8ead.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kf5cl0F.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 90e72d3e0c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aba470669f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 72fa3f10db.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 95f9465fd1.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2760 powershell.exe 2496 PING.EXE 3256 powershell.exe 3372 PING.EXE -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 5 IoCs
pid Process 2368 taskkill.exe 1512 taskkill.exe 2640 taskkill.exe 2728 taskkill.exe 3016 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings firefox.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 ANEDNjf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ANEDNjf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ANEDNjf.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a ANEDNjf.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 2496 PING.EXE 3372 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2304 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 2932 skotes.exe 2092 VR6f3vF.exe 1264 kf5cl0F.exe 2220 ANEDNjf.exe 2460 powershell.exe 2092 VR6f3vF.exe 2092 VR6f3vF.exe 2092 VR6f3vF.exe 2092 VR6f3vF.exe 2136 powershell.exe 2220 ANEDNjf.exe 2220 ANEDNjf.exe 2220 ANEDNjf.exe 2220 ANEDNjf.exe 736 90e72d3e0c.exe 456 5327feaad1.exe 2404 56381c8ead.exe 456 5327feaad1.exe 456 5327feaad1.exe 456 5327feaad1.exe 456 5327feaad1.exe 2404 56381c8ead.exe 2404 56381c8ead.exe 2404 56381c8ead.exe 2404 56381c8ead.exe 2404 56381c8ead.exe 1216 0fdaf30c9f.exe 1564 powershell.exe 2296 powershell.exe 2704 aba470669f.exe 2704 aba470669f.exe 2704 aba470669f.exe 2704 aba470669f.exe 2704 aba470669f.exe 2428 dialer.exe 2428 dialer.exe 2428 dialer.exe 2428 dialer.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 1560 b28c016796.exe 2336 7bdc45c53c.exe 2336 7bdc45c53c.exe 2336 7bdc45c53c.exe 2336 7bdc45c53c.exe 2336 7bdc45c53c.exe 2336 7bdc45c53c.exe 1676 62da928c46.exe 896 72fa3f10db.exe 2760 powershell.exe 1676 62da928c46.exe 1676 62da928c46.exe 1676 62da928c46.exe 1676 62da928c46.exe 2052 b7ece6f5d8.exe 1992 95f9465fd1.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
description pid Process Token: SeDebugPrivilege 1264 kf5cl0F.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeDebugPrivilege 1560 b28c016796.exe Token: SeDebugPrivilege 1216 0fdaf30c9f.exe Token: SeDebugPrivilege 1564 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeRestorePrivilege 2700 7z.exe Token: 35 2700 7z.exe Token: SeSecurityPrivilege 2700 7z.exe Token: SeSecurityPrivilege 2700 7z.exe Token: SeRestorePrivilege 1668 7z.exe Token: 35 1668 7z.exe Token: SeSecurityPrivilege 1668 7z.exe Token: SeSecurityPrivilege 1668 7z.exe Token: SeRestorePrivilege 1972 7z.exe Token: 35 1972 7z.exe Token: SeSecurityPrivilege 1972 7z.exe Token: SeSecurityPrivilege 1972 7z.exe Token: SeRestorePrivilege 1460 7z.exe Token: 35 1460 7z.exe Token: SeSecurityPrivilege 1460 7z.exe Token: SeSecurityPrivilege 1460 7z.exe Token: SeRestorePrivilege 436 7z.exe Token: 35 436 7z.exe Token: SeSecurityPrivilege 436 7z.exe Token: SeSecurityPrivilege 436 7z.exe Token: SeRestorePrivilege 2216 7z.exe Token: 35 2216 7z.exe Token: SeSecurityPrivilege 2216 7z.exe Token: SeSecurityPrivilege 2216 7z.exe Token: SeRestorePrivilege 2828 7z.exe Token: 35 2828 7z.exe Token: SeSecurityPrivilege 2828 7z.exe Token: SeSecurityPrivilege 2828 7z.exe Token: SeRestorePrivilege 2200 7z.exe Token: 35 2200 7z.exe Token: SeSecurityPrivilege 2200 7z.exe Token: SeSecurityPrivilege 2200 7z.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 1512 taskkill.exe Token: SeDebugPrivilege 2640 taskkill.exe Token: SeDebugPrivilege 2728 taskkill.exe Token: SeDebugPrivilege 3016 taskkill.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 1992 95f9465fd1.exe Token: SeDebugPrivilege 2232 VH12VCXFX35W3AEYX6.exe Token: SeDebugPrivilege 1072 firefox.exe Token: SeDebugPrivilege 1072 firefox.exe Token: SeDebugPrivilege 3256 powershell.exe Token: SeLockMemoryPrivilege 3208 explorer.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 1072 firefox.exe 1072 firefox.exe 1072 firefox.exe 1072 firefox.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe 1072 firefox.exe 1072 firefox.exe 1072 firefox.exe 2052 b7ece6f5d8.exe 2052 b7ece6f5d8.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2932 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 30 PID 2408 wrote to memory of 2932 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 30 PID 2408 wrote to memory of 2932 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 30 PID 2408 wrote to memory of 2932 2408 80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe 30 PID 2932 wrote to memory of 2092 2932 skotes.exe 32 PID 2932 wrote to memory of 2092 2932 skotes.exe 32 PID 2932 wrote to memory of 2092 2932 skotes.exe 32 PID 2932 wrote to memory of 2092 2932 skotes.exe 32 PID 2932 wrote to memory of 1264 2932 skotes.exe 33 PID 2932 wrote to memory of 1264 2932 skotes.exe 33 PID 2932 wrote to memory of 1264 2932 skotes.exe 33 PID 2932 wrote to memory of 1264 2932 skotes.exe 33 PID 2932 wrote to memory of 2220 2932 skotes.exe 35 PID 2932 wrote to memory of 2220 2932 skotes.exe 35 PID 2932 wrote to memory of 2220 2932 skotes.exe 35 PID 2932 wrote to memory of 2220 2932 skotes.exe 35 PID 1264 wrote to memory of 2460 1264 kf5cl0F.exe 36 PID 1264 wrote to memory of 2460 1264 kf5cl0F.exe 36 PID 1264 wrote to memory of 2460 1264 kf5cl0F.exe 36 PID 1264 wrote to memory of 2460 1264 kf5cl0F.exe 36 PID 1264 wrote to memory of 2136 1264 kf5cl0F.exe 39 PID 1264 wrote to memory of 2136 1264 kf5cl0F.exe 39 PID 1264 wrote to memory of 2136 1264 kf5cl0F.exe 39 PID 1264 wrote to memory of 2136 1264 kf5cl0F.exe 39 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 1560 2932 skotes.exe 41 PID 2932 wrote to memory of 2872 2932 skotes.exe 42 PID 2932 wrote to memory of 2872 2932 skotes.exe 42 PID 2932 wrote to memory of 2872 2932 skotes.exe 42 PID 2932 wrote to memory of 2872 2932 skotes.exe 42 PID 2932 wrote to memory of 736 2932 skotes.exe 44 PID 2932 wrote to memory of 736 2932 skotes.exe 44 PID 2932 wrote to memory of 736 2932 skotes.exe 44 PID 2932 wrote to memory of 736 2932 skotes.exe 44 PID 2932 wrote to memory of 456 2932 skotes.exe 45 PID 2932 wrote to memory of 456 2932 skotes.exe 45 PID 2932 wrote to memory of 456 2932 skotes.exe 45 PID 2932 wrote to memory of 456 2932 skotes.exe 45 PID 2932 wrote to memory of 2404 2932 skotes.exe 46 PID 2932 wrote to memory of 2404 2932 skotes.exe 46 PID 2932 wrote to memory of 2404 2932 skotes.exe 46 PID 2932 wrote to memory of 2404 2932 skotes.exe 46 PID 2932 wrote to memory of 1216 2932 skotes.exe 47 PID 2932 wrote to memory of 1216 2932 skotes.exe 47 PID 2932 wrote to memory of 1216 2932 skotes.exe 47 PID 2932 wrote to memory of 1216 2932 skotes.exe 47 PID 1216 wrote to memory of 1564 1216 0fdaf30c9f.exe 49 PID 1216 wrote to memory of 1564 1216 0fdaf30c9f.exe 49 PID 1216 wrote to memory of 1564 1216 0fdaf30c9f.exe 49 PID 1216 wrote to memory of 1564 1216 0fdaf30c9f.exe 49 PID 1216 wrote to memory of 2296 1216 0fdaf30c9f.exe 51 PID 1216 wrote to memory of 2296 1216 0fdaf30c9f.exe 51 PID 1216 wrote to memory of 2296 1216 0fdaf30c9f.exe 51 PID 1216 wrote to memory of 2296 1216 0fdaf30c9f.exe 51 PID 2932 wrote to memory of 2704 2932 skotes.exe 53 PID 2932 wrote to memory of 2704 2932 skotes.exe 53 PID 2932 wrote to memory of 2704 2932 skotes.exe 53 PID 2932 wrote to memory of 2704 2932 skotes.exe 53 PID 2704 wrote to memory of 2428 2704 aba470669f.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 2204 attrib.exe 2480 attrib.exe 1568 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe"C:\Users\Admin\AppData\Local\Temp\80ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe"C:\Users\Admin\AppData\Local\Temp\1017019001\VR6f3vF.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"C:\Users\Admin\AppData\Local\Temp\1017024001\kf5cl0F.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\skbyiyc"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"C:\Users\Admin\AppData\Local\Temp\1017027001\ANEDNjf.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"5⤵
- Executes dropped EXE
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"5⤵
- Executes dropped EXE
PID:2140
-
-
C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"5⤵
- Executes dropped EXE
PID:1208
-
-
C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"5⤵
- Executes dropped EXE
PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"C:\Users\Admin\AppData\Local\Temp\1017292001\b28c016796.exe"5⤵
- Executes dropped EXE
PID:964
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017293001\6463f8867a.exe"C:\Users\Admin\AppData\Local\Temp\1017293001\6463f8867a.exe"4⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\1017294001\90e72d3e0c.exe"C:\Users\Admin\AppData\Local\Temp\1017294001\90e72d3e0c.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:736
-
-
C:\Users\Admin\AppData\Local\Temp\1017295001\5327feaad1.exe"C:\Users\Admin\AppData\Local\Temp\1017295001\5327feaad1.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:456
-
-
C:\Users\Admin\AppData\Local\Temp\1017296001\56381c8ead.exe"C:\Users\Admin\AppData\Local\Temp\1017296001\56381c8ead.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\1017297001\0fdaf30c9f.exe"C:\Users\Admin\AppData\Local\Temp\1017297001\0fdaf30c9f.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\wycixamgci"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017298001\aba470669f.exe"C:\Users\Admin\AppData\Local\Temp\1017298001\aba470669f.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\1017299001\65e155d8ec.exe"C:\Users\Admin\AppData\Local\Temp\1017299001\65e155d8ec.exe"4⤵
- Executes dropped EXE
PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\1017300001\7bdc45c53c.exe"C:\Users\Admin\AppData\Local\Temp\1017300001\7bdc45c53c.exe"4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\1017301001\40f2c012eb.exe"C:\Users\Admin\AppData\Local\Temp\1017301001\40f2c012eb.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"5⤵
- Loads dropped DLL
PID:868 -
C:\Windows\system32\mode.commode 65,106⤵PID:2920
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p24291711423417250691697322505 -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_7.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_6.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_5.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_4.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_2.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_1.zip -oextracted6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\system32\attrib.exeattrib +H "in.exe"6⤵
- Views/modifies file attributes
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\main\in.exe"in.exe"6⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\system32\attrib.exeattrib +H +S C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:1568
-
-
C:\Windows\system32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe7⤵
- Views/modifies file attributes
PID:2480
-
-
C:\Windows\system32\schtasks.exeschtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE7⤵
- Scheduled Task/Job: Scheduled Task
PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.0.0.1; del in.exe7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2496
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017302001\62da928c46.exe"C:\Users\Admin\AppData\Local\Temp\1017302001\62da928c46.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Users\Admin\AppData\Local\Temp\VH12VCXFX35W3AEYX6.exe"C:\Users\Admin\AppData\Local\Temp\VH12VCXFX35W3AEYX6.exe"5⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Local\Temp\98EF0QC32A92UHKSHWU108NSUZ1AQ.exe"C:\Users\Admin\AppData\Local\Temp\98EF0QC32A92UHKSHWU108NSUZ1AQ.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:876
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017303001\72fa3f10db.exe"C:\Users\Admin\AppData\Local\Temp\1017303001\72fa3f10db.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:896
-
-
C:\Users\Admin\AppData\Local\Temp\1017304001\b7ece6f5d8.exe"C:\Users\Admin\AppData\Local\Temp\1017304001\b7ece6f5d8.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2052 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM firefox.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM chrome.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM msedge.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM opera.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM brave.exe /T5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking5⤵PID:1896
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking6⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1072 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.0.1436051128\316936825" -parentBuildID 20221007134813 -prefsHandle 1212 -prefMapHandle 1148 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe131abe-d381-4236-82b7-dd7bfd0ee3b6} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 1288 103f1058 gpu7⤵PID:1572
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.1.2081746435\812066976" -parentBuildID 20221007134813 -prefsHandle 1492 -prefMapHandle 1488 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab67a5f-f3dc-40bd-828e-dfdb7a5c4ff1} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 1504 d73958 socket7⤵PID:2608
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.2.104364263\1595154054" -childID 1 -isForBrowser -prefsHandle 2056 -prefMapHandle 2052 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6492995b-c081-42ca-b772-99c2eed074d1} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 2068 19cc3b58 tab7⤵PID:2396
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.3.423385785\2054890590" -childID 2 -isForBrowser -prefsHandle 2948 -prefMapHandle 2944 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54a81597-a029-413a-a27b-4e91f0f54468} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 2960 1a138b58 tab7⤵PID:2036
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.4.805870205\1706138693" -childID 3 -isForBrowser -prefsHandle 3848 -prefMapHandle 3736 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {93f77f09-4d7f-446f-a3e5-4a7386886913} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 3860 1a08d558 tab7⤵PID:3316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.5.1109735029\118647447" -childID 4 -isForBrowser -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a60b06c-b66f-43bb-bbe4-053a961ab945} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 4060 1f93b258 tab7⤵PID:3336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1072.6.170903644\1222416308" -childID 5 -isForBrowser -prefsHandle 4048 -prefMapHandle 3860 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 604 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {468a63e2-9e9d-4def-9923-b16ee39a1c9c} 1072 "\\.\pipe\gecko-crash-server-pipe.1072" 4072 1f9b2258 tab7⤵PID:3348
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1017305001\95f9465fd1.exe"C:\Users\Admin\AppData\Local\Temp\1017305001\95f9465fd1.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2428
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1194069391184780304520383964231222801348-1268396547-3677767771911703132-1347848787"1⤵PID:2428
-
C:\Windows\system32\taskeng.exetaskeng.exe {2EC96B29-71DA-4A58-9EA4-B9035F38CEDA} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
PID:1536 -
C:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exeC:\Users\Admin\AppData\Roaming\Intel_PTT_EK_Recertification.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2392 -
C:\Windows\explorer.exeexplorer.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe3⤵
- Drops file in System32 directory
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3256 -
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.1.10.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3372
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Query Registry
7Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Virtualization/Sandbox Evasion
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp
Filesize31KB
MD54194159d24a1b8fd4140d1222d72363c
SHA14b48e92c0f5af9c752e554ff1939c63532353afd
SHA2568bb68f47a2ccd66ad47bcccf485c03602e5375591455281142798505b62368ae
SHA512d171213a45a635b05af17a5fec9412c4627e0c04b11e99de119e9a606d0547a2fcff6094c2580295446c3e7bd7c6e66ecefb478bb629214d8d09c2ed904cdaf2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
1.8MB
MD5ff279f4e5b1c6fbda804d2437c2dbdc8
SHA12feb3762c877a5ae3ca60eeebc37003ad0844245
SHA256e115298ab160da9c7a998e4ae0b72333f64b207da165134ca45eb997a000d378
SHA512c7a8bbcb122b2c7b57c8b678c5eed075ee5e7c355afbf86238282d2d3458019da1a8523520e1a1c631cd01b555f7df340545fd1e44ad678dc97c40b23428f967
-
Filesize
21KB
MD514becdf1e2402e9aa6c2be0e6167041e
SHA172cbbae6878f5e06060a0038b25ede93b445f0df
SHA2567a769963165063758f15f6e0cece25c9d13072f67fa0d3c25a03a5104fe0783a
SHA51216b837615505f352e134afd9d8655c9cabfa5bfcfbee2c0c34f2d7d9588aa71f875e4e5feb8cdf0f7bacc00f7c1ca8dabd3b3d92afc99abf705c05c78e298b4a
-
Filesize
1.8MB
MD525fb9c54265bbacc7a055174479f0b70
SHA14af069a2ec874703a7e29023d23a1ada491b584e
SHA256552f8be2c6b2208a89c728f68488930c661b3a06c35a20d133ef7d3c63a86b9c
SHA5127dfd9e0f3fa2d68a6ce8c952e3b755559db73bb7a06c95ad6ed8ac16dedb49be8b8337afc07c9c682f0c4be9db291a551286353e2e2b624223487dc1c8b54668
-
Filesize
3.1MB
MD5c00a67d527ef38dc6f49d0ad7f13b393
SHA17b8f2de130ab5e4e59c3c2f4a071bda831ac219d
SHA25612226ccae8c807641241ba5178d853aad38984eefb0c0c4d65abc4da3f9787c3
SHA5129286d267b167cba01e55e68c8c5582f903bed0dd8bc4135eb528ef6814e60e7d4dda2b3611e13efb56aa993635fbab218b0885daf5daea6043061d8384af40ca
-
Filesize
758KB
MD5afd936e441bf5cbdb858e96833cc6ed3
SHA13491edd8c7caf9ae169e21fb58bccd29d95aefef
SHA256c6491d7a6d70c7c51baca7436464667b4894e4989fa7c5e05068dde4699e1cbf
SHA512928c15a1eda602b2a66a53734f3f563ab9626882104e30ee2bf5106cfd6e08ec54f96e3063f1ab89bf13be2c8822a8419f5d8ee0a3583a4c479785226051a325
-
Filesize
4.3MB
MD5d6cfec5f8c250d92d751030c95d46aec
SHA170439cf2611f97c84af487c44b88703d004a2bca
SHA2560200c5657794ccc0916aae772004b7f72a793b77dc807b51b2f88e597813f611
SHA512a939f9af174d37e3d32d0794b1f14110deffd7847b884a79b5fd300bcc7c30ce285f6dbbc41ad6ab5bd237bb6353efb7ddee903a8ec155a10840dec8c25d9bbb
-
Filesize
1.9MB
MD5d6070b7d0ec34e67a998dbe217c6c746
SHA164e771f2bcb20e9ccc89c8b4a9cf1b36e431d491
SHA25610b27d9cb387fa4ac371de8767d5204925ca4da9c490ea8e2491b1a60c49fd85
SHA51252bc768f8654cef43e62abfdba30878313aea5893d80759c633d84ce01c701b05e6f24c995f3a2568ab16ca69e6c1223b7e39c74c509fd6607bfa5e9418784f3
-
Filesize
747KB
MD58a9cb17c0224a01bd34b46495983c50a
SHA100296ea6a56f6e10a0f1450a20c5fb329b8856c1
SHA2563d51b9523b387859bc0d94246dfb216cfa82f9d650c8d11be11ed67f70e7440b
SHA5121472e4670f469c43227b965984ecc223a526f6284363d8e08a3b5b55e602ccce62df4bc49939ee5bd7df7b0c26e20da896b084eccab767f8728e6bf14d71c840
-
Filesize
4.2MB
MD5fa2b9ef3eedea37bee3f07f9a580ca57
SHA1886267a5d0287a9e8385aa7337f7c0dfb6e0c3b2
SHA256bb2af2fb0383047e427ce40b100535426c1037778a3e3c713158d02d6ab6c8a2
SHA512a5ffb97936a0c9b4451436b9b8d5e433a108ad5c9c70c9bce55e8597e7b76e9d8d0786663f9e535bb313a51a1ed75a482c08dba6ec64eafe46029905ad406f64
-
Filesize
4.2MB
MD53a425626cbd40345f5b8dddd6b2b9efa
SHA17b50e108e293e54c15dce816552356f424eea97a
SHA256ba9212d2d5cd6df5eb7933fb37c1b72a648974c1730bf5c32439987558f8e8b1
SHA512a7538c6b7e17c35f053721308b8d6dc53a90e79930ff4ed5cffecaa97f4d0fbc5f9e8b59f1383d8f0699c8d4f1331f226af71d40325022d10b885606a72fe668
-
Filesize
1.7MB
MD581cfbdcd567c50d28a6380910dd6cf83
SHA13fac13a3e2416853ce16ed6052ba91e4ec978c86
SHA25655cb3e812b8545ae08027c08bc3d8d0ffc8e6cd2854547a582ab3c4e2db88d1d
SHA512fd083c0ec0a95175ef05afb2c60cc1990b868d0a5db483372a294bda2955db7dbe586ab9c3633a7bbb2bfc6f478e09b2f5e04fae41393a626dbb53345fc81838
-
Filesize
2.7MB
MD5b02d86ff1695f8c3faf80f6e5cd1b8bf
SHA1aaf7bc27106152a25b5ad8ce4c643f4def00bfe8
SHA256ff283c5f3e854c82dcfb4ea631f5f68496fb1654d025b5f3acfae5318c5ed088
SHA5124c219352d2555f183b143ec875f7944c622d1f5fdd5969caf46844e537fd8852c0309e9d9d0cadc55e151bda2cc49eff2d8bb2d84e81ce5261f2e0f474fc7098
-
Filesize
945KB
MD5457285e2cf3c306e05a2dc450c9748ad
SHA1d9d57583b4eac7332c9ff79869695b995ba44d2f
SHA2560c9c4c41cda2b02f17a65d180643a428c70c4535d0e214739c3d461403408f06
SHA512f4c5f17aa2e388e4f682869999ca7ff10c79cd2a66e2803c630c75a2748399201805ac7bf0a352132bd8f9ae06420a51a2c5a003a5b4d1a011ddbc12ee728003
-
Filesize
1.7MB
MD551501deb706a509a1dec7745ecf713e3
SHA17a925e2f3231498ab0cbd8cefe9b475fbab5f58b
SHA256fe72e6a8775634e7d76adecf570a2866a81714d3e3d7be6174c8fefb327f2f0b
SHA512cae65b34492e2c8413bcc19448697bd8c76e685046b60ecc65b313a49e4d7f9e9df24f0593f4691cffca1d8c7e9bc077bb2df7918767614b2172167bdc847476
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2.9MB
MD50d8d9a494648862b4b225c7bec0cc18a
SHA19cdd81df5c5ba351c461aab9d795614c9ec5541d
SHA25680ad8a72e6f252005e02bbf6ea7b3502955d3a22619e7e0f132013e349bdcb19
SHA512230ad3917607d5b87a703538358e264ab588517f32c72e49b52776c8fe791019434f3429c5b4a0be5e9515b14b21b6ef63398ba69fb897d86ba839edf9c80dda
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
440B
MD53626532127e3066df98e34c3d56a1869
SHA15fa7102f02615afde4efd4ed091744e842c63f78
SHA2562a0e18ef585db0802269b8c1ddccb95ce4c0bac747e207ee6131dee989788bca
SHA512dcce66d6e24d5a4a352874144871cd73c327e04c1b50764399457d8d70a9515f5bc0a650232763bf34d4830bab70ee4539646e7625cfe5336a870e311043b2bd
-
Filesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD58c5b703a4176dbcaf93e1687df326e8e
SHA11da5e11b5defdd8a7569c7d920db7a72515584f6
SHA2566959af6bbf38d08a6b49309704003a70ffdd1afef8eda2479f2b2bcac8ecc01c
SHA512e574835c9617e20e2b4e7fdce18ad8c7a27f351f7098231d57e0b23291667f4fb6ece7a050617bbf131140ffdbd3ee53234e6f4eef997751a99f6b81ba9d1430
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD54c0e6c8d963085f5c501c7b32d8acbf9
SHA1548832cc152815eb429da20b9555cd0cb48bcc27
SHA256c9d9dd299e58ed13bdaa6c903dfa7dd94193b04254951752348dffd6bcf341af
SHA5120258943628c7128cff6b2f6d5abbd114b2cc9dd83081f858258cd49fa026b906f36271bf6265b7feba4dac6fd7eb845893931014d365d1003be891cc8715137f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\1e619b05-2cc3-4fe3-a5eb-be5dc8a7950c
Filesize733B
MD580675f2513896ac72f327a7d4f4ab9a5
SHA1670104b80f7e0e0619e3c84a34ac3095c019b946
SHA256b7bbc07321912181857a3956cf31f8bf285417dca070981bdff8d862588ad3aa
SHA512d51ed1f4b17a24747d39c0ddff3a34ac4038ce2295686ca4a4dc8b01df727902a462c1fe37536a3e1ce0b79c36e0e6c90280fdaad3a1df814eeae57915980bac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
Filesize
6KB
MD564f90b83cf9b8c80b3195ac1ad201f01
SHA14982de22908d6ffa51a0a164cdd7bb306b615a3c
SHA25608f3438e337f56b320a81ac8c78ba94ed7479190b6f25e98dc6ddf2bbe048f69
SHA5127116f62e504c5fd7a826fe0c0282b0c4aceb004485053456c05fe8eb1209d20f85f51be51eff74c7c438f094c8b0c5d91902bd39a1507bc18fe40cd448f0a2ec
-
Filesize
6KB
MD53d5aef73503b1f38a8c544c1eb5bd050
SHA1074fa4238c34380a26697f0f2e97154433537044
SHA256f7c02d07e18a9d16b6c061135a41e3e78569bd3ed56e9992a799e73d068f66b1
SHA512d197392baa967952e4e6b1efc26006e66e90f6891ce0425148b3994266e41f722eaa348ac0a60e6bdbfc069189f07753cdb5120ecd017eb5879dd8d79534598e
-
Filesize
7KB
MD52f393996f8faa90e958ff317ca8be23b
SHA115ec7684a27e3b62ab4a89c8c4b45baca152a95e
SHA256c35d104c0a52b8af6fae475787aa5b598188c684411e77116aa48d81f0a42a79
SHA51250d66d55d22158d8b520ea18ef6c137420be0ea49d6876f6fae55f09bda77c3d4b992e2be4d015885afc9f479cc62327c82fb940c6d6357ee788f3e67a5ed7ef
-
Filesize
7KB
MD56cf35a833ce7b0c63edd00b2f3b510a8
SHA13efe11b72106ea9904222205d52d4ccc691aa122
SHA256cc15392e591c5470822c90490ec4f0cd9944e1d0aadc0a936ab35fe2e2a6e053
SHA512689758e4be70a506265d8e215938233be0d47bfd656fff41ee2a36681b0db461478d63662c8d581d9686d6fb42db592105f8ba91ddc8e18537f982871ebd03c7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD56aeb791179d2934d7f0bc66d7c5d0258
SHA184e64c586817c15b4fb69d7da28d90204947fb6a
SHA2564efa3e363a16d2fc48ca12d22da7e2f6b5bc8cc246fe339d58b7b772c2972575
SHA51257bd1e59eccbc8718231dd5bebaebfce4b82df736910810d725a975138d1cf6cb193fd5f3b0f6f2f9467615c359f5564079cfaffdad78b0638f50be53c45ee3a